Ansible
Contains everything on Ansible IT automation tool, playbooks and tricks
- Playbook - Clearing Users' Data Files in a Group of Windows Machines
- Playbook - Update Windows Machine (Windows Update Disabled)
- Playbook - Initiate Clamscan on Machines with ClamWin Installed
- Playbook - Disable Windows Updates
Playbook - Clearing Users' Data Files in a Group of Windows Machines
The playbook below will remove all users' data in a computer that belongs in an inventory group. Below is a list of steps that this playbook will do:
- Disable and remove the target user
- Reboot to remove any file locks from the logged in user
- Remove any files in the user's directory, skipping symbolic links
- Re-create a public user with the same username and empty password that cannot be changed
- Enable auto login for the user so that new machine will be configured for auto login as well
- Reboot computer to enable the configuration
The playbook is as follows, please change the variables encapsulated in < >
with the desired values:
---
- hosts: <inventory group / host>
tasks:
- name: remove user account
win_user:
name: <username>
account_disabled: yes
state: absent
- name: reboot
win_reboot:
msg: "Scheduled reset started, windows will reboot in 90 seconds"
pre_boot_delay: 90
- name: remove any files in the folder tree
ignore_errors: yes
win_shell: |
$Path = "C:\Users\<username>"
Remove-Item "$Path" -Force -Recurse -ErrorAction SilentlyContinue
if (Test-Path "$Path" -ErrorAction SilentlyContinue)
{
$folders = Get-ChildItem -Path $Path -Directory -Force -ErrorAction SilentlyContinue
ForEach ($folder in $folders)
{
Remove-Tree $folder.FullName -Force -ErrorAction SilentlyContinue
}
$files = Get-ChildItem -Path $Path -File -Force
ForEach ($file in $files)
{
Remove-Item $file.FullName -Force -ErrorAction SilentlyContinue
}
if (Test-Path "$Path" -ErrorAction SilentlyContinue)
{
Remove-Item $Path -Force -ErrorAction SilentlyContinue
}
}
- name: re-add user account
win_user:
name: <username>
state: present
groups: Users
user_cannot_change_password: yes
password_expired: no
password_never_expire: yes
- name: enable auto logon
win_shell: |
Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'AutoAdminLogon' -Value '1'
Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'DefaultUsername' -Value '<default username>'
Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'DefaultPassword' -Value ''
- name: reboot to apply new settings
win_reboot:
msg: "Scheduled reset completed, windows will reboot in 5 seconds"
pre_boot_delay: 5
References:
- https://luke.geek.nz/win/using-powershell-setup-automatic-logon-windows-servers/
- https://stackoverflow.com/a/31450526
- https://docs.ansible.com/ansible/2.5/modules/list_of_windows_modules.html
Playbook - Update Windows Machine (Windows Update Disabled)
This playbook will:
- Modify windows update service to manual in case the machine is set to disabled
- Start the windows update service
- Download and install the updates, reboot if required
The playbook is as follows, please change the encapsulated < >
values to the desired values:
---
- hosts: <inventory group / hosts>
tasks:
- name: change windows update service to manual
win_shell: Set-Service wuauserv -StartupType Manual
- name: start windows update service
win_shell: Start-Service wuauserv
- name: download and install updates
win_updates:
reboot: yes
Playbook - Initiate Clamscan on Machines with ClamWin Installed
This playbook will initiate a full scan on all computers using Clamscan
that is installed through ClamWin
:
---
- hosts: <inventory group / hosts>
tasks:
- name: full computer scan
win_command: '"C:\Program Files (x86)\ClamWin\bin\clamscan.exe" -rv --move=C:\ProgramData\.clamwin\quarantine\ --database=C:\ProgramData\.clamwin\db\ --log=C:\ProgramData\.clamwin\log\ClamScanLog.txt --enable-stats C:\'
Playbook - Disable Windows Updates
This playbook will download disable_windows_update.ps1 from a server, reachable by all clients and execute the script to disable windows updates on a group of windows machines. Though it is written to specifically disable windows update, it can be modified to execute other scripts as well. The playbook configuration file is ass follows, replace enclosed < >
tags with the desired values:
---
- hosts: <inventory group / hosts>
tasks:
- name: download script to disable windows update
win_get_url:
url: http://<url>/disable_windows_update.ps1
dest: C:\
- name: execute disable windows update script
win_shell: C:\disable_windows_update.ps1
- name: remove script
win_file:
path: C:\disable_windows_update.ps1
state: absent